wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6242 from julek-wolfssl/harden-tls

Browse Source 
Implement TLS recommendations from RFC 9325
This commit is contained in:
JacobBarthelmeh
2023-04-04 10:13:27 -06:00
committed by GitHub
parent a4a6a05f06 505ab746c6
commit cb422bfaf7
7 changed files with 305 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/os-check.yml vendored
View File

@ -14,6 +14,7 @@ jobs:
'',
'--enable-all --enable-asn=template',
'--enable-all --enable-asn=original',
'--enable-harden-tls',
]
name: make check
runs-on: ${{ matrix.os }}

22
configure.ac
View File

@ -177,6 +177,26 @@ AS_IF([test "$ax_enable_debug" = "yes"],
# enabled
ENABLED_CERTS="no"
# Implements requirements from RFC9325
AC_ARG_ENABLE([harden-tls],
[AS_HELP_STRING([--enable-harden-tls],[Enable requirements from RFC9325. Possible values are <yes>, <112>, or <128>. <yes> is equivalent to <112>. (default: disabled)])],
[ ENABLED_HARDEN_TLS=$enableval ],
[ ENABLED_HARDEN_TLS=no ]
)
if test "x$ENABLED_HARDEN_TLS" != "xno"
then
if test "x$ENABLED_HARDEN_TLS" == "xyes" || test "x$ENABLED_HARDEN_TLS" == "x112"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=112"
elif test "x$ENABLED_HARDEN_TLS" == "x128"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_HARDEN_TLS=128"
else
AC_MSG_ERROR([Invalid value for --enable-harden-tls])
fi
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EXTRA_ALERTS -DWOLFSSL_CHECK_ALERT_ON_ERR"
fi
# Support for forcing 32-bit mode
# To force 32-bit instructions use:
@ -3481,7 +3501,7 @@ AC_ARG_ENABLE([oldtls],
[ ENABLED_OLD_TLS=yes ]
)
if test "$ENABLED_CRYPTONLY" = "yes"
if test "$ENABLED_CRYPTONLY" = "yes" || test "x$ENABLED_HARDEN_TLS" != "xno"
then
ENABLED_OLD_TLS=no
fi

29
src/internal.c
View File

@ -79,6 +79,16 @@
* by default.
* https://www.rfc-editor.org/rfc/rfc8446#section-5.5
* https://www.rfc-editor.org/rfc/rfc9147.html#name-aead-limits
* WOLFSSL_HARDEN_TLS
* Implement the recommendations specified in RFC9325. This macro needs to
* be defined to the desired number of bits of security. The currently
* implemented values are 112 and 128 bits. The following macros disable
* certain checks.
* - WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC
* - WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS
* - WOLFSSL_HARDEN_TLS_NO_SCR_CHECK
* - WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK
* - WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES
*/
@ -7128,11 +7138,14 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
}
#endif
#ifdef HAVE_SECURE_RENEGOTIATION
#if defined(HAVE_SECURE_RENEGOTIATION) || \
defined(HAVE_SERVER_RENEGOTIATION_INFO)
if (ssl->options.side == WOLFSSL_CLIENT_END) {
int useSecureReneg = ssl->ctx->useSecureReneg;
/* use secure renegotiation by default (not recommend) */
#ifdef WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT
#if defined(WOLFSSL_SECURE_RENEGOTIATION_ON_BY_DEFAULT) || \
(defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \
!defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK))
useSecureReneg = 1;
#endif
if (useSecureReneg) {
@ -26985,6 +26998,18 @@ static int HashSkeData(WOLFSSL* ssl, enum wc_HashType hashType,
}
#endif
#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK)
if (ssl->secure_renegotiation == NULL ||
!ssl->secure_renegotiation->enabled) {
/* If the server does not acknowledge the extension, the client
* MUST generate a fatal handshake_failure alert prior to
* terminating the connection.
* https://www.rfc-editor.org/rfc/rfc9325#name-renegotiation-in-tls-12 */
WOLFSSL_MSG("ServerHello did not contain SCR extension");
return SECURE_RENEGOTIATION_E;
}
#endif
ssl->options.serverState = SERVER_HELLO_COMPLETE;
if (IsEncryptionOn(ssl, 0)) {

27
src/ssl.c
View File

@ -13889,6 +13889,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
case ACCEPT_FIRST_REPLY_DONE :
if ( (ssl->error = SendServerHello(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -13905,6 +13908,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#ifndef NO_CERTS
if (!ssl->options.resuming)
if ( (ssl->error = SendCertificate(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -13917,6 +13923,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#ifndef NO_CERTS
if (!ssl->options.resuming)
if ( (ssl->error = SendCertificateStatus(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -13933,6 +13942,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#endif
if (!ssl->options.resuming)
if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -13945,6 +13957,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
if (!ssl->options.resuming) {
if (ssl->options.verifyPeer) {
if ( (ssl->error = SendCertificateRequest(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -13962,6 +13977,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
case CERT_REQ_SENT :
if (!ssl->options.resuming)
if ( (ssl->error = SendServerHelloDone(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -14000,6 +14018,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#ifdef HAVE_SESSION_TICKET
if (ssl->options.createTicket && !ssl->options.noTicketTls12) {
if ( (ssl->error = SendTicket(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_MSG("Thought we need ticket but failed");
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
@ -14018,6 +14039,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
}
if ( (ssl->error = SendChangeCipher(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}
@ -14027,6 +14051,9 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
case CHANGE_CIPHER_SENT :
if ( (ssl->error = SendFinished(ssl)) != 0) {
#ifdef WOLFSSL_CHECK_ALERT_ON_ERR
ProcessReplyEx(ssl, 1); /* See if an alert was sent. */
#endif
WOLFSSL_ERROR(ssl->error);
return WOLFSSL_FATAL_ERROR;
}

72
tests/api.c
View File

@ -64674,6 +64674,77 @@ static int test_extra_alerts_bad_psk(void)
return TEST_SKIPPED;
}
#endif
#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_NO_TLS12) && \
defined(HAVE_IO_TESTS_DEPENDENCIES)
static int test_harden_no_secure_renegotiation_io_cb(WOLFSSL *ssl, char *buf,
int sz, void *ctx)
{
static int sentServerHello = FALSE;
if (!sentServerHello) {
byte renegExt[] = { 0xFF, 0x01, 0x00, 0x01, 0x00 };
size_t i;
if (sz < (int)sizeof(renegExt))
return WOLFSSL_CBIO_ERR_GENERAL;
/* Remove SCR from ServerHello */
for (i = 0; i < sz - sizeof(renegExt); i++) {
if (XMEMCMP(buf + i, renegExt, sizeof(renegExt)) == 0) {
/* Found the extension. Change it to something unrecognized. */
buf[i+1] = 0x11;
break;
}
}
sentServerHello = TRUE;
}
return EmbedSend(ssl, buf, sz, ctx);
}
static void test_harden_no_secure_renegotiation_ssl_ready(WOLFSSL* ssl)
{
wolfSSL_SSLSetIOSend(ssl, test_harden_no_secure_renegotiation_io_cb);
}
static void test_harden_no_secure_renegotiation_on_cleanup(WOLFSSL* ssl)
{
WOLFSSL_ALERT_HISTORY h;
AssertIntEQ(wolfSSL_get_alert_history(ssl, &h), WOLFSSL_SUCCESS);
AssertIntEQ(h.last_rx.code, handshake_failure);
AssertIntEQ(h.last_rx.level, alert_fatal);
}
static int test_harden_no_secure_renegotiation(void)
{
callback_functions client_cbs, server_cbs;
XMEMSET(&client_cbs, 0, sizeof(client_cbs));
XMEMSET(&server_cbs, 0, sizeof(server_cbs));
client_cbs.method = wolfTLSv1_2_client_method;
server_cbs.method = wolfTLSv1_2_server_method;
server_cbs.ssl_ready = test_harden_no_secure_renegotiation_ssl_ready;
server_cbs.on_cleanup = test_harden_no_secure_renegotiation_on_cleanup;
test_wolfSSL_client_server_nofail(&client_cbs, &server_cbs);
AssertIntEQ(client_cbs.return_code, TEST_FAIL);
AssertIntEQ(client_cbs.last_err, SECURE_RENEGOTIATION_E);
AssertIntEQ(server_cbs.return_code, TEST_FAIL);
AssertIntEQ(server_cbs.last_err, SOCKET_ERROR_E);
return TEST_RES_CHECK(1);
}
#else
static int test_harden_no_secure_renegotiation(void)
{
return TEST_SKIPPED;
}
#endif
/*----------------------------------------------------------------------------*
| Main
*----------------------------------------------------------------------------*/
@ -65705,6 +65776,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_extra_alerts_wrong_cs),
TEST_DECL(test_extra_alerts_skip_hs),
TEST_DECL(test_extra_alerts_bad_psk),
TEST_DECL(test_harden_no_secure_renegotiation),
/* If at some point a stub get implemented this test should fail indicating
* a need to implement a new test case
*/

128
wolfssl/internal.h
View File

@ -304,8 +304,19 @@
#undef HAVE_AES_CBC
#endif
/* When adding new ciphersuites, make sure that they have appropriate
* guards for WOLFSSL_HARDEN_TLS. */
#if defined(WOLFSSL_HARDEN_TLS) && \
!defined(WOLFSSL_HARDEN_TLS_ALLOW_ALL_CIPHERSUITES)
/* Use a separate define (undef'ed later) to simplify macro logic. */
#define WSSL_HARDEN_TLS WOLFSSL_HARDEN_TLS
#define NO_TLS_DH
#endif
#ifndef WOLFSSL_AEAD_ONLY
#if !defined(NO_RSA) && !defined(NO_RC4)
#if !defined(NO_RSA) && !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS)
/* MUST NOT negotiate RC4 cipher suites
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#if defined(WOLFSSL_STATIC_RSA)
#if !defined(NO_SHA)
#define BUILD_SSL_RSA_WITH_RC4_128_SHA
@ -376,7 +387,10 @@
#define BUILD_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
#endif
#endif
#if !defined(NO_DH)
#if !defined(NO_DH) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#if !defined(NO_SHA)
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
#define BUILD_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
@ -458,7 +472,10 @@
#endif
#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
!defined(NO_RSA)
!defined(NO_RSA) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#if !defined(NO_SHA)
#if defined(WOLFSSL_AES_128) && defined(HAVE_AES_CBC)
@ -492,7 +509,11 @@
#endif
#endif
#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS)
#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \
!defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#ifndef NO_SHA256
#if !defined(NO_AES) && defined(WOLFSSL_AES_128) && \
defined(HAVE_AES_CBC)
@ -619,7 +640,9 @@
#endif
#endif
#endif /* NO_AES */
#if !defined(NO_RC4)
#if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS)
/* MUST NOT negotiate RC4 cipher suites
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#if !defined(NO_SHA)
#if !defined(NO_RSA)
#ifndef WOLFSSL_AEAD_ONLY
@ -642,7 +665,11 @@
#endif
#endif
#endif
#if !defined(NO_DES3)
#if !defined(NO_DES3) && !(defined(WSSL_HARDEN_TLS) && \
WSSL_HARDEN_TLS > 112)
/* 3DES offers only 112 bits of security.
* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#ifndef NO_SHA
#if !defined(NO_RSA)
#define BUILD_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
@ -692,7 +719,10 @@
#if !defined(NO_RSA) && defined(HAVE_ECC)
#define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
#endif
#if !defined(NO_DH) && !defined(NO_RSA)
#if !defined(NO_DH) && !defined(NO_RSA) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#define BUILD_TLS_DHE_RSA_WITH_CHACHA20_OLD_POLY1305_SHA256
#endif
#endif /* NO_OLD_POLY1305 */
@ -702,7 +732,10 @@
defined(HAVE_ED448)
#define BUILD_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256
#endif
#ifndef NO_DH
#if !defined(NO_DH) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#define BUILD_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256
#endif
#endif /* !NO_PSK */
@ -711,7 +744,10 @@
#endif /* !WOLFSSL_MAX_STRENGTH */
#if !defined(NO_DH) && !defined(NO_AES) && !defined(NO_TLS) && \
!defined(NO_RSA) && defined(HAVE_AESGCM)
!defined(NO_RSA) && defined(HAVE_AESGCM) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#if !defined(NO_SHA256) && defined(WOLFSSL_AES_128)
#define BUILD_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
@ -722,7 +758,11 @@
#endif
#endif
#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS)
#if !defined(NO_DH) && !defined(NO_PSK) && !defined(NO_TLS) && \
!defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#ifndef NO_SHA256
#if defined(HAVE_AESGCM) && defined(WOLFSSL_AES_128)
#define BUILD_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256
@ -792,7 +832,10 @@
#define BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#endif
#endif
#if !defined(NO_DH) && !defined(NO_RSA)
#if !defined(NO_DH) && !defined(NO_RSA) && !defined(NO_TLS_DH)
/* SHOULD NOT negotiate cipher suites based on ephemeral
* finite-field Diffie-Hellman key agreement (i.e., "TLS_DHE_*"
* suites). https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#define BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#endif
#endif
@ -912,7 +955,9 @@
#define BUILD_AES
#endif
#ifndef NO_RC4
#if !defined(NO_RC4) && !defined(WSSL_HARDEN_TLS)
/* MUST NOT negotiate RC4 cipher suites
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1 */
#undef BUILD_ARC4
#define BUILD_ARC4
#endif
@ -937,6 +982,23 @@
#define HAVE_PFS
#endif
#ifdef WSSL_HARDEN_TLS
#ifdef HAVE_NULL_CIPHER
#error "NULL ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1"
#endif
#ifdef WOLFSSL_STATIC_RSA
#error "Static RSA ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1"
#endif
#ifdef WOLFSSL_STATIC_DH
#error "Static DH ciphers not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.1"
#endif
#ifdef HAVE_ANON
#error "At least the server side has to be authenticated"
#endif
#endif
#undef WSSL_HARDEN_TLS
/* actual cipher values, 2nd byte */
enum {
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,
@ -1123,12 +1185,29 @@ enum {
/* set minimum DH key size allowed */
#ifndef WOLFSSL_MIN_DHKEY_BITS
#ifdef WOLFSSL_MAX_STRENGTH
#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#if WOLFSSL_HARDEN_TLS >= 128
#define WOLFSSL_MIN_DHKEY_BITS 3072
#elif WOLFSSL_HARDEN_TLS >= 112
#define WOLFSSL_MIN_DHKEY_BITS 2048
#endif
#elif defined(WOLFSSL_MAX_STRENGTH)
#define WOLFSSL_MIN_DHKEY_BITS 2048
#else
#define WOLFSSL_MIN_DHKEY_BITS 1024
#endif
#endif
#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_DHKEY_BITS < 2048 && \
!defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Implementations MUST NOT negotiate cipher suites offering less than
* 112 bits of security.
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1
* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#error "For 112 bits of security DH needs at least 2048 bit keys"
#endif
#if (WOLFSSL_MIN_DHKEY_BITS % 8)
#error DH minimum bit size must be multiple of 8
#endif
@ -1156,6 +1235,10 @@ enum {
#endif
#define MAX_DHKEY_SZ (WOLFSSL_MAX_DHKEY_BITS / 8)
#if WOLFSSL_MAX_DHKEY_BITS < WOLFSSL_MIN_DHKEY_BITS
#error "WOLFSSL_MAX_DHKEY_BITS has to be greater than WOLFSSL_MIN_DHKEY_BITS"
#endif
#ifndef MAX_PSK_ID_LEN
/* max psk identity/hint supported */
#if defined(WOLFSSL_TLS13)
@ -1751,12 +1834,29 @@ enum Misc {
/* set minimum RSA key size allowed */
#ifndef WOLFSSL_MIN_RSA_BITS
#ifdef WOLFSSL_MAX_STRENGTH
#if defined(WOLFSSL_HARDEN_TLS) && !defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#if WOLFSSL_HARDEN_TLS >= 128
#define WOLFSSL_MIN_RSA_BITS 3072
#elif WOLFSSL_HARDEN_TLS >= 112
#define WOLFSSL_MIN_RSA_BITS 2048
#endif
#elif defined(WOLFSSL_MAX_STRENGTH)
#define WOLFSSL_MIN_RSA_BITS 2048
#else
#define WOLFSSL_MIN_RSA_BITS 1024
#endif
#endif /* WOLFSSL_MIN_RSA_BITS */
#if defined(WOLFSSL_HARDEN_TLS) && WOLFSSL_MIN_RSA_BITS < 2048 && \
!defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Implementations MUST NOT negotiate cipher suites offering less than
* 112 bits of security.
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1
* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#error "For 112 bits of security RSA needs at least 2048 bit keys"
#endif
#if (WOLFSSL_MIN_RSA_BITS % 8)
/* This is to account for the example case of a min size of 2050 bits but
still allows 2049 bit key. So we need the measurement to be in bytes. */

44
wolfssl/wolfcrypt/settings.h
View File

@ -306,6 +306,12 @@
#endif
#ifdef WOLFSSL_HARDEN_TLS
#if WOLFSSL_HARDEN_TLS != 112 && WOLFSSL_HARDEN_TLS != 128
#error "WOLFSSL_HARDEN_TLS must be defined either to 112 or 128 bits of security."
#endif
#endif
#if defined(_WIN32) && !defined(_M_X64) && \
defined(HAVE_AESGCM) && defined(WOLFSSL_AESNI)
@ -2007,7 +2013,16 @@ extern void uITRON4_free(void *p) ;
#ifdef WOLFSSL_MIN_ECC_BITS
#define ECC_MIN_KEY_SZ WOLFSSL_MIN_ECC_BITS
#else
#if FIPS_VERSION_GE(2,0)
#if defined(WOLFSSL_HARDEN_TLS) && \
!defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#if WOLFSSL_HARDEN_TLS >= 128
#define ECC_MIN_KEY_SZ 256
#elif WOLFSSL_HARDEN_TLS >= 112
#define ECC_MIN_KEY_SZ 224
#endif
#elif FIPS_VERSION_GE(2,0)
/* FIPSv2 and ready (for now) includes 192-bit support */
#define ECC_MIN_KEY_SZ 192
#else
@ -2016,6 +2031,16 @@ extern void uITRON4_free(void *p) ;
#endif
#endif
#if defined(WOLFSSL_HARDEN_TLS) && ECC_MIN_KEY_SZ < 224 && \
!defined(WOLFSSL_HARDEN_TLS_NO_PKEY_CHECK)
/* Implementations MUST NOT negotiate cipher suites offering less than
* 112 bits of security.
* https://www.rfc-editor.org/rfc/rfc9325#section-4.1
* Using guidance from section 5.6.1
* https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf */
#error "For 112 bits of security ECC needs at least 224 bit keys"
#endif
/* ECC Configs */
#ifdef HAVE_ECC
/* By default enable Sign, Verify, DHE, Key Import and Key Export unless
@ -2967,6 +2992,23 @@ extern void uITRON4_free(void *p) ;
#error "Dynamic session cache currently does not support persistent session cache."
#endif
#ifdef WOLFSSL_HARDEN_TLS
#if defined(HAVE_TRUNCATED_HMAC) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_TRUNCATED_HMAC)
#error "Truncated HMAC Extension not allowed https://www.rfc-editor.org/rfc/rfc9325#section-4.6"
#endif
#if !defined(NO_OLD_TLS) && !defined(WOLFSSL_HARDEN_TLS_ALLOW_OLD_TLS)
#error "TLS < 1.2 protocol versions not allowed https://www.rfc-editor.org/rfc/rfc9325#section-3.1.1"
#endif
#if !defined(WOLFSSL_NO_TLS12) && !defined(HAVE_SECURE_RENEGOTIATION) && \
!defined(HAVE_SERVER_RENEGOTIATION_INFO) && !defined(WOLFSSL_HARDEN_TLS_NO_SCR_CHECK)
#error "TLS 1.2 requires at least HAVE_SERVER_RENEGOTIATION_INFO to send the secure renegotiation extension https://www.rfc-editor.org/rfc/rfc9325#section-3.5"
#endif
#if !defined(WOLFSSL_EXTRA_ALERTS) || !defined(WOLFSSL_CHECK_ALERT_ON_ERR)
#error "RFC9325 requires some additional alerts to be sent"
#endif
/* Ciphersuite check done in internal.h */
#endif
#ifdef __cplusplus
} /* extern "C" */
#endif